[Oisf-users] file truncated

Miso Mijatovic mmijatovic at sorint.it
Tue Apr 21 16:05:12 UTC 2015


Hi,

> Have you done any tuning of the suricata.yaml?

yes, in addition to 

stream.checksum_validation no
stream.reassembly.depth 0
libhtp.default-config.request-body-limit 0
libhtp.default-config.response-body-limit 0

i commented the part about eth0 in the afpacket section because it is not a traffic interface;
i enabled the file-store (with force md5,force magic and waldo) and file-log (with force md5 and force magic);
i increased the stream memcap from default 32mb to 128mb;
i decreased the reassembly memcap from default 128mb to 64mb.

> What type of traffic and how much of it are you inspecting on what HW ?

I am inspecting 80/90 Mb of clients normal internet traffic, my hw have 12 Gb RAM on 8 processors.

Regards,
Miso Mijatovic



More information about the Oisf-users mailing list